Samsung SmartThings is one of the leading online platforms to connect smart devices.
The researchers also developed POC attacks demonstrating how they could disable vacation mode and induce a fake fire alarm.
According to the security team, We found two forms of over privilege for SmartThings.
First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged.
Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for.
Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.
Because of this, they could gain access to the house as legitimate users.
Implementation of the code redirects the user, made possible by vulnerabilities in a second SmartThings.
The vulnerabilities allow increasing the privileges for managing smart home applications.
